Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security

09:35 AM
Larry Loeb
Larry Loeb
Larry Loeb

US Voting Machines Riddled With Vulnerabilities & Security Flaws

The highly anticipated report form the DEF CON Voting Machine Hacking Village finds that any number of voting machines used in US elections are vulnerable to any number of attacks or hacks.

At this year's DEF CON show, organizers constructed a Voting Machine Hacking Village for the second year in a row. This time around, the Village included more details of the overall election environment in the US, ranging from voter registration records to election night reporting.

Now the verdict is in and it's not good as we head into November.

The number and severity of vulnerabilities found on the equipment was "staggering," according to a detailed writeup recently released by the Village organizers.

Additionally, the organizers of this year's event found dozens of vulnerabilities on equipment that is still used throughout the US.

For example, a voting tabulator currently used in 23 states can be remotely attacked through a network. Since this one machine has a high amount of traffic that passes through it, hacking one of them could lead to poisoning of the overall Electoral College results, according to the report.

A version of the Premier/Diebold AccuVote TSx voting machine that researchers examined\r\n(Source: Wikipedia)\r\n
A version of the Premier/Diebold AccuVote TSx voting machine that researchers examined
\r\n(Source: Wikipedia)\r\n

The same machine has a critical vulnerability that was reported a decade ago to the vendor, but remains unfixed as of its use in 2016.

Researchers also found that a machine currently used by 18 states can be hacked in under two minutes. Given that the average voter takes six minutes to cast their ballot, this shows that a hack can be performed at the polling place within the normal voting time.

Plenty of targets
In order to study voting hacking, organizers went to secondary markets such as eBay, as well as government auctions to find used voting machines and other hardware. All told, they ended up with:

  • Dominion: Premier/Diebold AccuVote TSx
  • Dominion: AVC Edge
  • ES&S: ExpressPoll Tablet Electronic Pollbook
  • ES&S: M650
  • AVS: WINVote
  • AVC Edge activation device
  • ACOSJ dual interface Java card

The Voting Village did not provide any Election Management Systems (EMS) to attendees. In a real election environment, this system is a key element as the originator and aggregator of election data.

In formal studies, it has been found to be the most vulnerable element. An EMS can radiate additional attack surfaces and vectors across the elections system as a whole.

While an EMS is a critical part of a real election system, it was not considered a critical element within the DEF CON Village.

The network used in the tests was generated by KIG CyberRange. It was considered by the Villagers to be safe, virtual and isolated. It also allowed hackers the freedom to attempt attacks like an SQL Injection in order to compromise the simulated elections office. The attackers had the Kali Linux toolset available to them for manipulation and use.

The network also enabled exfiltration of the data that was designated as the target.

The suspect machines
Let's get closer to what was found in some of the hardware tested. What's there?

The Diebold ExpressPoll-5000 is an electronic pollbook, used by individual poll workers to help check voters in before they are permitted to vote. Its operating system is a version of Windows CE.

Investigators were able to access the file system, as well as read and write the voter databases using the widely available SQL Lite database program. The investigators also found entries in the database where the passwords to the ExpressPoll-5000 were stored in cleartext.

The Dominion AVC Edge is a touchscreen machine with direct-recording electronic capabilities. It is activated by a smart card, and records votes on internal flash memory.

The Edge's hardware is common and there are no obstacles to creating rogue software deployments for the device. The lack of security is pervasive, owing to the liberal threat model seemingly present when it was manufactured.

The AccuVote TSx is an electronic voting machine manufactured by Premier Voting Solutions. The AccuVote TSx is currently used in Alaska, Arizona, California, Colorado, Florida, Georgia, Illinois, Indiana, Kansas, Missouri, Mississippi, Ohio, Pennsylvania, Tennessee, Texas, Utah, Wisconsin and Wyoming.

The DEF CON Villagers found that the voter activation card was programmed to automatically reset itself after activating the device. This could allow the machine to be used to cast unlimited number of ballots, which is what was found to occur.

Villagers also realized that this particular machine could allow an attack to be distributed remotely with no physical access to the voting machine. Indeed, Villagers found that third parties with no access to the EMS can create rogue election definitions which are indistinguishable from real elections.

Since the only record of a voter's intent is in digital form the intent becomes manipulatable and the machine's summaries unreliable.

The ES&S M650 is an electronic ballot scanner and tabulator manufactured by ES&S. It is used for counting both regular and absentee ballots.

There is some pizzazz to it. It launches ballots through an optical scanner to tally them, and keeps count on an internal, 128MB SanDisk flash storage card.

It runs the QNX 4.2 operating system on an Octagon 5066 Board with an AMD Am5x86 processor at 133MHz. If you use a $10 adapter (VTC-9F to DB-9 adapter cable, item 1041), a serial connection can be established to the M650 machine by connecting to the main 5066 CPU board. Getting around the cabinet locks is not a problem.

It seems that connecting a laptop will allow root access to a serial terminal session with username "root" and no password. There is not even minimal account security, according to the Villagers.

There are other communication ports in the device, and other ways to manipulate stored data as well.

A Zip disk, which is an obsolete storage device, can be read by them. It's also an attack surface. If there is an autorun program on the voting machine, the M650 is then simply looking for a file on the Zip disk with a certain name. It will trust and execute it with the maximum level of privileges.

That’s not a good way to do things.

Decades of problems
Over a decade ago, the University of Pennsylvania gave a negative evaluationto the machine.

However, it currently remains in use in Arkansas, California, Florida, Idaho, Illinois, Indiana, Kansas, Minnesota, Missouri, Montana, North Carolina, Nebraska, New Jersey, Ohio, Oregon, Pennsylvania, South Carolina, South Dakota, Tennessee, Texas, Washington, West Virginia and Wyoming.

The election process is at risk from the tools used to carry it out. The threat is obvious and well-researched. Efforts like those of the Villagers stand to remind us of the stakes that are involved.

Related posts:

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: George has not accepted that the technology age has come to an end.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-03-08
The package github.com/pires/go-proxyproto before 0.5.0 are vulnerable to Denial of Service (DoS) via the parseVersion1() function. The reader in this package is a default bufio.Reader wrapping a net.Conn. It will read from the connection until it finds a newline. Since no limits are implemented in ...
PUBLISHED: 2021-03-07
An issue was discovered in MantisBT before 2.24.5. It associates a unique cookie string with each user. This string is not reset upon logout (i.e., the user session is still considered valid and active), allowing an attacker who somehow gained access to a user's cookie to login as them.
PUBLISHED: 2021-03-07
This affects all versions of package github.com/nats-io/nats-server/server. Untrusted accounts are able to crash the server using configs that represent a service export/import cycles. Disclaimer from the maintainers: Running a NATS service which is exposed to untrusted users presents a heightened r...
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. drivers/scsi/scsi_transport_iscsi.c is adversely affected by the ability of an unprivileged user to craft Netlink messages.
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. Certain iSCSI data structures do not have appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length...